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Summary 

The Treasury Department and other agencies have long had the responsibility to ensure that the 
financial sectors of the economy are able to continue operations after physical and economic 
disruptions. This report outlines the financial sector’s recovery plans for two kinds of disasters: 
the inability to conduct transactions and the large losses of asset value. The basic function of the 
payment system is carried out by banks, and monetary policy affects them immediately. Because 
brokers, exchanges, secondary market facilities, and insurance companies carry out crucial 
financial functions, their regulators and trade associations are involved in continuity of operations 
planning. 

Regulators of financial entities have developed guidelines for regulatees to follow to cushion 
physical and economic shocks. There are procedures to protect business information technology, 
physical security, and for the continuity of markets critical for the nation’s transactions. 
Government and private sector initiatives seek cost-effective ways to strengthen the resiliency of 
the financial system’s computers against cyber attacks. Many of these arrangements protecting 
financial institutions against attacks are also part of the national effort to prevent terrorist 
financing from within the financial system. (See CRS Report RL33020, Terrorist Financing: U.S. 
Agency Efforts and Inter-Agency Coordination , by Martin A. Weiss et al.) Defense of financial 
businesses’ information systems is but one deterrence to national threats. 

Following September 11, 2001, the nation became concerned with physical security. The anthrax 
attack in October 2001 heightened worries about biological terrorism. In 2004, the possibility of 
an avian flu pandemic concentrated continuity concerns on natural occurring challenges to the 
smooth functioning of the nation’s financial system. Congress, regulators, and executive branch 
agencies have responded to each of these threats. This report will be updated as events warrant. 



Congressional Research Service 




http://wikileaks.org/wiki/CRS-RL31873 



Banking and Financial Infrastructure Continuity 



Contents 

Banking and Financial Institutions Form a Critical Infrastructure 1 

The Role of DHS 1 

Safety Net Measures in Place 2 

Financial Risks 2 

Operational and Security Risks 4 

Safety and Continuity in Recent Experience 4 

Last Decades of 1900s 4 

2000— Y2K 4 

2001 — September 11 5 

2003 — Blackout 5 

2004 — Humcanes 5 

2004 — Orange Alert 6 

2005 — Hurricanes 6 

Financial Business Continuity Initiatives 6 

Regulatory Initiatives 7 

Government Securities Clearing 7 

Communications 7 

Sound Practices Paper 7 

Federal Financial Institutions Examination Council 8 

Basel II 8 

Executive Branch Initiatives 9 

Government’s Own Financing 9 

Presidential 9 

Financial and Banking Information Infrastructure Committee 10 

Public-Private Treasury Efforts 1 1 

Department of Justice 12 

Private Sector Initiatives 12 

FS-ISAC and Payments Networks 12 

Securities Industry 13 

Banking Industry 13 

Financial Services Sector Coordinating Council for Critical Infrastructure 

Protection and Homeland Security 13 

Legislation and Oversight 15 

Post-September 11 Legislation 15 

Intelligence Reform and Terrorism Prevention Act of 2004 16 

Congressional Oversight 16 

Developing Concerns: Pandemic Flu 17 

Conclusion: Convergence of Public-Private Practices for Financial Continuity 18 

Appendixes 

Appendix. Major Acronyms 19 



Congressional Research Service 




http://wikileaks.org/wiki/CRS-RL31873 



Banking and Financial Infrastructure Continuity 



Contacts 

Author Contact Information 19 



Congressional Research Service 




http://wikileaks.org/wiki/CRS-RL31873 



Banking and Financial Infrastructure Continuity 



Banking and Financial Institutions Form a Critical 
Infrastructure 

Financial institutions, including banks, other depositories, securities dealers, insurers, and 
investment companies are part of the nation’s critical infrastructure required for the nation’s 
minimum economic operations. 1 Financial institutions accept funds from various sources and 
make them available as loans or investments to those who need them. America has vulnerabilities 
because its financial records are on computers and paper. 

Financial institutions face two categories of emergencies that could impair their functioning. The 
first is directly financial: a sudden drop in the value of financial assets, whether originating 
domestically or elsewhere in the world, that could cause a national or even global financial crisis. 
The second is operational: the failure of the support structures that underlie the financial system. 
Either could disrupt the nation’s ability to supply goods. They could reduce the pace of economic 
activity, or at an extreme, cause an actual contraction of economic activity. 

Collapse of one prominent entity could evoke a contagion effect, in which sound financial 
institutions become viewed as weak and panicked customers withdraw funds from sound entities, 
causing them to fail. Regulators generally address financial problems through deposit insurance 
and other sources of liquidity (such as emergency loans) for distressed institutions, safety and 
soundness regulation, and direct intervention. They address operational risks through corrective 
actions (as with the Y2K problem), redundancy, regulation, auditing, and other physical security. 
Under the worst case scenarios, the Federal Reserve (Fed) can limit economic damage by 
supplying liquidity to the financial system and employing monetary policy to expand domestic 
demand (as it did following the 2001 terrorist attacks). In the Terrorism Risk Insurance Act of 
2002 (TRLA), Congress expanded the Fed’s ability to act as lender of last resort to the financial 
and real economies. 2 Congress may also legislate direct federal assistance to protect the financial 
infrastructure as it did in the cases of Chrysler, the Farm Credit System, and New York City to 
prevent them from defaulting, potentially causing failure in major parts of the financial system 
and the economy. 



The Role of DHS 

The Department of Homeland Security (DHS) is the government agency responsible for 
communications security oversight/ Financial institutions and their regulators operate in a 



1 CRS Report RL32631, Critical Infrastructure and Key Assets: Definition and Identification, by John D. Moteff and 
Paul W. Parfomak. Congress specified financial services as critical physical and information infrastructure in P.L. 107- 
56, Section 1016, Oct. 26, 2001. Banking and finance are critical infrastructure similar to telecommunications, water, 
etc. in The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets, at 
http://www.whitehouse.gov/pcipb/physical.html; The National Strategy to Secure Cyberspace, at 
http://www.whitehouse.gov/pcipb; “Homeland Security Presidential Directive/HSPD-7,” at 

http://www.whitehouse.gov/news/releases/2003/12/print/20031217-5.html; and are expected to be clearly identified in 
a future written National Infrastructure Protection Plan (see Federal Register, vol. 7, no. 212, Nov. 3, 2005, p. 66840). 

2 P.L. 109-144, which expires Dec. 31, 2007, extended P.L. 107-297. For a history and other information about TRIA, 
see CRS Report RS21979, Terrorism Risk Insurance: An Overview, and CRS Report RL33 177, Terrorism Risk 
Insurance Legislation in 2005: Issue Summary and Side-by-Side, by Baird Webel. 

3 “Administering the New Department of Homeland Security,” at http://www.congress.gov/erp/legissues/html/ 
(continued...) 
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different environment from nonfinancial ones. Financial intermediaries’ most valuable assets are 
frequently business records that exist either as intangible computer records or as fragile paper 
documents. The financial sector rarely owns the external communications systems on which they 
depend. This lack of ownership limits the sector’s ability to protect directly their vital 
communications. Protecting financial and banking computer hardware and software may require 
outside support. 

DHS works with Treasury Department bodies concerned with financial security. Treasury assigns 
an expert in financial services matters on a rotating basis to DHS. 4 Following its move into DHS, 
the Secret Service, in cooperation with the Carnegie Mellon Software Institute, reviewed threats 
to information systems in critical financial infrastructures. 5 DHS has issued financial institution- 
specific alerts based on intelligence reports. 6 



Safety Net Measures in Place 

This section offers a high level review of the powers of various financial regulators to intervene 
to prevent financial problems from spreading throughout the economy. It looks at both financial 
risks (those from a sudden decrease in value or a threat that financial intermediaries might not be 
able to honor their obligations to depositors) and physical risks (also known as operational and 
security risks). 



Financial Risks 

Financial regulation includes deposit insurance, safety and soundness oversight, and the Fed as 
lender of last resort and ultimate protector of the financial system. Many arrangements protect 
financial institutions and their customers from different kinds of risk. 7 

The Fed has long stood ready to provide liquidity in the form of emergency loans to the banking 
system. The Federal Deposit Insurance Corporation (FDIC) protects depositors against failure of 
a bank or savings association. This insurance helps to prevent depositor panics that could drain 
banks of their funds, and in turn could lead to curtailed lending and calling in loans. Even a 
healthy depository institution, otherwise untouched by any cause of failure, could not long 
withstand a depositor panic. 

The FDIC brings order to the process of resolving insolvent banks. This agency has long had 
authority to prevent the failure of a bank it deems essential, which Congress supplemented in the 
1980s and 1990s to allow even greater flexibility. The FDIC may borrow up to $30 billion from 



(...continued) 

isdhs2.html. 

4 “Treasury Introduces Upgrades Designed To Help Safeguard Financial Service System,” BNA ’s Banking Report , Dec. 
8, 2003, p. 836. 

5 U.S. Secret Service, “Secret Service and CERT Coordination Center Release Comprehensive Report Analyzing 
Insider Threats to Banking and Finance Sector,” press release, at http://www.secretservice.gov/press/publ804.pdf. 

6 Derrick Cain, “Nation's Banks Conduct 'Business as Usual’ After Specific Threats to Certain Institutions,” BNA’s 
Banking Report, Aug. 9, 2004, p. 221. 

7 CRS Report RS21987, When Financial Businesses Fail: Protection for Account Holders, by Walter W. Eubanks. 
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the U.S. Treasury for rescue operations. Credit unions have similar arrangements with their 
Central Liquidity Facility and Share Insurance Fund. The Pension Benefit Guaranty Corporation 
(PBGC) guarantees pension funds with defined benefits. 

The securities industry lacks a pool of emergency liquidity, but the Fed may, if it chooses, lend 
directly to securities firms. The federal government protects individual securities accounts against 
operational losses — although not collapses of market value — through the Securities Investor 
Protection Corporation. 8 Each state has a guaranty fund to make good the obligations of an 
insolvent state-regulated insurance companies, although there is no national liquidity pool. TRIA 
provides a federal backstop for insurers willing to provide terrorism insurance. This law is 
designed to assure that such insurance remains available by protecting providers against 
catastrophic losses in case of terrorist attacks. 

Other agencies bolster the national financial safety net maintaining confidence in many other 
ways. Not all of these entities provide liquidity or rescue in the case of financial failure. For many 
years, the securities industry and issuers have had overseers and programs designed to prevent a 
collapse in confidence originating within the system. The Securities and Exchange Commission 
(SEC) has sought transparency (disclosure) in the financial practices of businesses whose 
securities are traded in public markets. The Sarbanes-Oxley Act of 2002 sought to restore investor 
confidence by strengthening the regulation of independent auditors and by increasing the 
accountability of corporate executives and directors. 9 The Federal Housing Finance Board and the 
Office of Federal Housing Enterprise Oversight regulate safety and transparency of important 
non-depository housing finance institutions. 10 The Commodity Futures Trading Commission 
(CFTC) oversees organized markets on futures and similar contracts through self-regulatory 
organizations. 

Every state regulates its state -chartered banks, credit unions, thrift institutions, and companies 
engaged in securities and futures operations. Although state-chartered depository institutions are 
subject to federal regulation, the states are the primary regulators for insurance companies, 
finance companies, mortgage bankers, and the like. All 50 states oversee industry-funded 
guaranty funds to cover insolvencies in insurance companies, and some sponsor insurance for 
credit unions. State regulatory bodies for their respective industries are linked through the 
Conference of State Bank Supervisors, National Association of Insurance Commissioners, and 
North American Securities Administrators Association. 

Most important for the worst cases of financial disruption, the Fed can inject funds into the 
economy to maintain liquidity in the financial system. Its authority to lend to individual 
institutions allows it to support institutions that analysts characterize as too-big-to-fail, because 
their collapse would pose a systemic risk to the economy. With TRIA, Congress strengthened the 
Fed’s authority to lend to businesses directly in “unusual or exigent circumstances.” 11 



8 CRS Report RS21741, Securities Investor Protection Corporation , by Gary Shorter. 

9 P.L. 107-204, July 30, 2002. 

10 CRS Report RL32815, Federal Home Loan Bank System: Policy Issues, by Edward Vincent Murphy. 

1 1 CRS Report RS21986, Federal Reserve: Lender of Last Resort Functions, by Marc Labonte. 



Congressional Research Service 



3 




http://wikileaks.org/wiki/CRS-RL31873 



Banking and Financial Infrastructure Continuity 



Operational and Security Risks 

Safety and soundness regulators issue guidelines and specific regulations for redundancy and 
security in physical and financial systems. They have long required banking institutions to 
consider operating (security) risks in contingency planning, and now include risk of catastrophic 
disruptions such as occurred on September 1 1, 2001. The securities industry is refining its 
procedures along similar lines. Insurance and other non-depository, non-securities financial 
businesses have not revealed their continuity plans. Although vital, they are not considered as 
critical. Few would regard the inability to process car loans, for example, as serious a problem as 
the inability to process checks and securities. 



Safety and Continuity in Recent Experience 

This section reviews the major financial disruptions since the stock market crash of 1987 and how 
the government responded to reduce the chance that the disruption could spread and cause severe 
finance and economic problems. 

Last Decades of 1900s 

Sudden drops in the value of financial assets that affected the U.S. financial system late in the 20 th 
century include the 1987 stock market crash, the savings and loan and banking collapses of 1989- 
1991, and the 1997-1998 Asian and Russian financial crises. The Fed and other financial 
regulators responded by providing liquidity to the banking system, and so to the economy. 
Following the 1987 stock market crash, several regulatory agencies and the President’s Working 
Group on Financial Markets issued many recommendations that became practice. 12 That group 
issued another study, with recommendations, in the late 1990s when international disturbances 
threatened the United States through the near collapse of the Long-Term Capital Management 
hedge fund. It examined problems that financial derivatives posed to the economy in 1999. 
Congress passed reforms of federal deposit insurance and banking regulators’ authorities over 
practices threatening depository institutions in 1989 and 1991. 13 Agency powers of persuasion 
and the Fed’s ability to lend to distressed entities for short-term liquidity reinforce formal 
regulations requiring time not available during crises. 



2000 -Y2K 

The operational safety net created to defend against computer problems feared for the Year 2000 
(Y2K) worked. The widely anticipated Y2K bug was a software programming problem that could 
have caused failures in the infrastructure upon which the system relies. Public and private groups 
worked hard to prevent the widely feared collapse of financial capabilities on January 1, 2000. 
Y2K came and went without serious incident and the systematic backups and safeguards provided 
against it proved invaluable the following year. 



12 This group consists of the Treasury, Fed, SEC, and CFTC. 

13 Financial Institutions Reform, Recovery, and Enforcement Act of 1989, P.L. 101-73, Aug. 9, 1989; Federal Deposit 
Insurance Corporation Improvement Act of 1991, P.L. 102-242, Dec. 19, 1991. 
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2001 — September 11 

With the September 11, 2001 destruction of the World Trade Center, both problems — financial 
loss of asset values, and operational interruption — occurred simultaneously. The financial side of 
the response worked well, as the Fed provided liquidity to prevent panic. It injected more than 
$100 billion into the banking system. It arranged international facilities to keep the global 
financial system operating. The Fed and central banks around the world cut interest rates and lent 
money to banks to ease pressures on borrowers. 

The SEC issued emergency rules encouraging buying when the stock markets reopened. Trading 
recommenced rapidly, as the U.S. Treasury security market reopened on September 13, and the 
equities market was in full operation on September 17. Physical infrastructure recovery required a 
few days of heroic efforts (e.g., running new connections into Manhattan). Off-site record 
keeping, sharing of working space with displaced competitors, and increasing reliance on 
electronic records and communications systems by institutions outside the attack area allowed 
quick resumption of near-normal operations. Regulators and industry groups made it known that 
financial firms would need new contingency plans and stress tests to protect against more extreme 
situations in the future. Many insurance companies stopped writing insurance covering terrorist- 
related claims. This led TRIA to encourage insurers to write terrorism risk insurance. 

Nevertheless, some high-profile commercial properties lack terrorism insurance because of the 
high cost of such protection in spite of TRIA. The government also provides insurance to 
domestic airlines under the Air Transportation Safety and System Stabilization Act. 14 

2003 — Blackout 

Emergency response measures noted above helped reduce the financial market damages from the 
August 14, 2003 power blackout in the northeastern United States and Canada. Treasury received 
no reports of major disruptions or losses of financial data, in large part because of steps taken to 
make systems resilient and redundant. Despite glitches, the majority of stock, options, 
commodities, futures, and bonds markets soon returned to normal operation. Banks closed 
affected offices in New York and Detroit; elsewhere, financial systems operated normally. The 
Fed’s payments and emergency lending systems operated well. Banks borrowed and repaid $785 
million from the Fed after the blackout, the most since the week after September 11. Applications 
for new mortgages fell temporarily because of the blackout. Contrary to initial fears, terrorists had 
not caused the blackout, and the blackout did not severely stress the nation’s financial economy. 15 

2004— Hurricanes 

Several financial institutions in the southern and eastern United States had to suspend operations 
in areas affected by hurricanes and tropical storms in 2004. Federal and state regulators issued 
orders allowing banks in areas affected by Hurricanes Bonnie, Charley, Frances, Ivan, and Jeanne 
to suspend operations. Despite large payouts for storm-related damage to many sectors, the 
insurance sector rebounded. 



14 P.L. 107-42, Sept. 22, 2001. 

15 "Measures Prompted by Sept. 1 1 Helped Banks Weather Electrical Outage, Snow Says,” BNA ’s Banking Report, 
Aug. 25, 2003, p.254; Todd Davenport, "In Brief: Outage Sparked $785M of Fed Lending,” American Banker Online, 
Aug. 22, 2003; and Rob Blackwell, "Backup Site Questions, Utility Loan Prospects,” American Banker Online, Aug. 
18, 2003. (Hereafter cited as Blackwell, Backup Site Questions.) 
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2004 — Orange Alert 

Financial institutions received warnings of an elevated threat level in August 2004, raising 
concerns about the possibility of another September 1 1 event. Although no such threats 
materialized, public and private preparations were made appropriately. 

2005 — Hurricanes 

Almost all of the financial sector’s protections put in place in recent years had to be activated 
regionally due to the hurricanes of 2005. Flurricane Katrina disrupted both power and 
communications in parts of Mississippi, Alabama, and Louisiana. Cash could not be withdrawn, 
checks could not be cashed, and debit and credit card networks (including ATMs) were down. In 
addition, facilities of a number of financial institutions were destroyed by wind or made 
inaccessible by water. Continuity of operations procedures, which are required of all but the 
smallest depository institutions, include maintaining critical personnel and data storage (with 
daily backups) at sites located at least 20 miles from a bank’s headquarters. In almost every case, 
data backups worked despite loss of electricity. Joint guidance provided by the four federal bank 
regulators, and independently by the National Credit Union Administration, advised a temporary 
easing of regulations, facilitating recovery. (See CRS Report RS22263, Katrina’s Wake: Restoring 
Financial Services, by William D. Jackson and Barbara Miles.) 

Insurance claims did not threaten the industry. Insured losses from Hurricane Katrina are 
estimated at $40.6 billion. 16 Nevertheless, the U.S. property-casualty insurance industry’s net 
income after taxes rose by more than 4% during that time. 17 Increasing premiums seem inevitable 
in affected areas, thereby strengthening industry surpluses and viability. 



Financial Business Continuity Initiatives 

The payments system continued to function after the attack on New York’s financial activity. 
Providers realize that coordination between their primary site and one or more backup sites needs 
to be improved. 

The banking sector now functions normally. Despite initial concerns over safety, deposits inflows 
continued and profits were high even while borrowing slowed. Bond trading levels have 
recovered to their previous volume despite devastation of Cantor Fitzgerald, the company 
responsible for most of the market for government bonds. The stock markets recovered. With the 
federal backstop for insurers, coverage of acts of terrorism is available, although with higher 
premiums. 



16 Insurance Information Institute, “Nearly 95 Percent of Homeowners Claims from Hurricane Katrina Settled and Tens 
of Billions of Dollars Paid to Affected Communities in Louisiana and Mississippi, Insurance Information Institute 
Reports,” Aug. 22, 2006, at http://www.iii.org/media/updates/press.760032/. 

17 “In Brief: Despite Storms, P/C Profits Grew 4.4%,” American Banker Online, Dec. 29, 2005. 
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Regulatory Initiatives 

This section examines the changes that financial regulators have made to improve the resilience 
of the nation’s financial system since September 11, 2001, and plans for future changes. 

Government Securities Clearing 

Regulators are concerned about the U.S. government securities market, in view of its critical role 
for conducting monetary policy operations, financing government activities, and providing 
benchmark prices and hedging opportunities for other securities markets. On May 13, 2002, the 
Fed, the Office of the Comptroller of the Currency (OCC), and the SEC issued a white paper 
called Structural Change in the Settlemen t of Government Securities. That paper expressed 
concerns about operational, financial, and structural vulnerabilities from having only two clearing 
banks. In response, the Fed initiated a number of measures including a backup dormant clearing 
and settlement bank, ready to act should the two banks clearing government securities 
transactions be unable to do so. 18 

Communications 

At the intersection of financial and communications markets, the Fed (in coordination with 
Treasury and the other banking agencies) has strengthened its programs for giving financial firms 
access to priority emergency communications. 19 These programs, which the National 
Communications System administers, help financial markets overcome substantial operational 
disruptions. They are (1) Telecommunications Service Priority for circuits used in large-value 
interbank funds transfer, securities pricing and transfer, and payment-related services, (2) 
Government Emergency Telecommunications Service (GETS) for priority calls over terrestrial 
public switched networks, and (3) Wireless Priority Service of cellular calls during severe 
network congestion. The GETS program is now available to all financial institutions. 20 

Sound Practices Paper 

The Fed, the OCC, and the SEC have issued an Interagency Paper on Sound Practices to 
Strengthen the Resilience of the U.S. Financial System . 21 The Sound Practices paper covers the 
largest wholesale financial sector businesses. It does not address retail or trading operations, nor 
the insurance sector. The regulators directed financial institutions involved in financial clearing 
and settlement activities to adopt the paper’s guidance. This provides flexibility to firms in 
managing geographic dispersion of backup facilities and staffing arrangements, and takes into 

account cost-effective application of sound practices. It includes participation from the New York 

22 

State Banking Department and the Federal Reserve Bank of New York. 



18 Federal Reserve Press Release, Jan. 30, 2004, at http://www.federalreserve.gov/boarddocs/press/other/2004/ 
200401 30/default. htm. 

19 At http://www.occ.treas.gov/ftp/bulletin/2003-13.txt. 

20 R. Christian Bruce, “GETS Cards Urged for Financial Institutions To Ensure Smooth Communications in Crises,” 
BNA ’.s' Banking Report, Dec. 6, 2004, p. 859. 

21 Federal Register, vol. 68, no. 70, Apr. 11, 2003, pp. 17809-17814. 

22 At http://www.occ.treas.gov/ftp/bulletin/2003-14.txt. 
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The Sound Practices paper analyzes the risks of a breakdown in a transfer system or a financial 
market that cannot fulfill its obligations, creating liquidity and credit problems for customers. It 
focuses on protections for core check clearing and settlement for financial companies involved in 
critical markets, such as federal funds, foreign exchange, commercial paper, and government, 
corporate, and mortgage -backed securities. This regulation deals with substantial interruptions of 
transportation, telecommunications, or power systems throughout a major region, perhaps with 
evacuation of population. It lists four sound practices that a covered firm should carry out: 

• identify clearing and settlement activities supporting critical financial markets, 

• determine appropriate recovery and resumption objectives for clearing and 
settlement activities in support of critical markets, 

• maintain sufficient geographic dispersion of resources to meet recovery and 
resumption activities, and 

• routine use or test recovery and resumption arrangements. 

This paper requires robust backup facilities for clearance and settlement activities, resumption of 
normal business within two hours, regular testing of backup facilities, and backup personnel. 
They did not recommend moving primary offices of financial and securities firms, contrary to 
some expectations. In April 2006, the three regulatory agencies reported that the 
recommendations were substantially in place. 23 

Federal Financial Institutions Examination Council 

The four bank and one credit union regulatory agencies constitute the Federal Financial 
Institutions Examination Council (FFIEC). This council’s information technology subcommittee 
coordinates agency policies on technological and related risks, including security procedures and 
financial business continuity. 24 Following the damage of Hurricane Katrina, banking agencies 
formed a working group to coordinate emergency responses on both state and national levels to 
“provide institutions with clear, timely, and consistent information on areas of concern.” 25 

Basel II 

For the largest U.S. commercial banking organizations, the Fed has proposed additional mandates 
in its planned regulation known as the “Basel II Capital Accord.” Among the issues raised by 
Basel 11 is a controversial requirement for covered firms to carry more capital for operational 
risk. 26 Operational risk refers to the risk of loss resulting from flawed internal processes, people 
and systems, and external events. Hearings by two subcommittees of the House Financial 
Services Committee in 2003 explored some of its implications, which many bankers feel are 



23 Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and 
Exchange Commission, Joint Report on Efforts of the Private Sector to Implement the Interagency Paper on Sound 
Practices to Strengthen the Resilience of the U.S. Financial System, April 2006, at https://www.fsscc.org/reports/2006/ 
Sound_Practices_Status_Report.pdf. 

' 4 Rob Blackwell, “Regulators Put Examiner Update Online,’ - American Banker Online, Jan. 30, 2003. 

25 See http://www.ffiec.gov/press/pr091905.htm. 

26 See CRS Report RL33278, The Basel Accords: The Implementation of II and the Modification off by Walter W. 
Eubanks. 
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burdensome. 27 A 109 th Congress measure, United States Financial Policy Committee for Fair 
Capital Standards Act, H.R. 1226, would address Basel II, including its operational risk 
component. A similar bill in the 108 th Congress (H.R. 2043) was marked up in subcommittee. 



Executive Branch Initiatives 

This section reports on the actions of executive branch agencies to improve their ability to 
function financially following a catastrophic event. Public -private groups are also discussed. 

Government's Own Financing 

The E-Government Act of 2002 requires financial offices within the federal government to 
develop, document, and carry out agency-wide information security programs. 28 Treasury and 
other agencies have taken steps to protect the government’s critical financial functions, including 
borrowing, making payments (including Social Security), and collecting taxes. Should the threat 
level rise, agencies will work with state and local governments to increase physical and cyber 
security measures, disperse individuals critical to operations, and activate backup facilities. 29 

Presidential 

President Bush has appointed executives of the banking and securities industries to the National 
Infrastructure Advisory Council (NIAC). The panel advises the White House on cyber security 
and information security of critical economic infrastructure, including financial ones. Members of 
NIAC represent major sectors of the economy: banking and finance, transportation, energy, 
information technology, and manufacturing. It includes representatives from academia, state and 
local government, and law enforcement. NIAC works closely with the President’s National 
Security and Telecommunications Advisory Committee. 3<t 

NIAC meets periodically to 

• enhance the partnership of the public and private sectors in protecting 
information systems for critical infrastructures and provide reports to the 
Secretary of Homeland Security, 

• encourage private industry to perform periodic risk assessments of critical 
information and telecommunications systems, 



27 U.S. Congress, House Committee on Financial Services, Subcommittee on Domestic and International Monetary 
Policy, Trade and Technology, The New Basel Accord — Sound Regulation or Crushing Complexity?, hearing on H.Hrg. 
108-5. 108 th Cong., 1 st sess., Feb. 27, 2003 (Washington: GPO, 2003), at http://frnancialservices.house.gov/ 
hearings. asp ?formmode=detail&hearing=l 82; and House Financial Services Committee, Subcommittee on Financial 
Institutions and Consumer Credit, The New Basel Accord — in Search of a Unified U.S. Position, hearing on H.Hrg. 
108-40, 108 th Cong., 1 st sess., June 19, 2003, (Washington: GPO, 2003), at http://financialservices.house.gov/ 
hearings, asp ?formmode=detail&hearing=236. 

28 P.L. 107-347, Dec. 17, 2002. 

29 Department of the Treasury, "Treasury Statement on Measures to Protect the Financial Markets during Hostilities 
with Iraq," press release. Mar. 17, 2003, at http://www.treas.gov/press/releases/ jsll4.htm. 

30 Department of the Treasury, "Appointments to National Infrastructure Advisory Committee," press release. Sept. 18, 
2002, at http://www.whitehouse.gov/news/releases/2002/09/20020918-12.html. 
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• monitor the development of private sector Information Sharing and Analysis 
Centers (ISACs) and provide recommendations to the President through the 
Secretary of Homeland Security on how these organizations can foster 
cooperation among ISACs, DHS, and other government entities, 

• report to the President through the Secretary of Homeland Security, who 
coordinates with the Assistant to the President for Homeland Security, the 
Assistant to the President for Economic Policy, and the Assistant to the President 
for National Security Affairs, and 

• advise lead agencies with critical infrastructure responsibilities, sector 
coordinators, DHS, and ISACs, including for the banking and finance sector. 31 

In 2003, Presidential Homeland Security Directive 7 assigned sectoral protection responsibility to 
departments and agencies based on their expertise in infrastructures. 32 Treasury is the sector- 
specific agency for the banking and finance sector and operates through numerous channels noted 
below. 33 

Financial and Banking Information Infrastructure Committee 

Treasury’s Office of Critical Infrastructure Protection, formed after September 11, staffs the 
Financial and Banking Information Infrastructure Committee (FBIIC). Its chair is Treasury’s 
Assistant Secretary for Financial Institutions. 34 Its mission is to coordinate federal and state 
efforts to improve the reliability and security of the financial system. 35 A public sector group, 
FBIIC was created by executive order in 2001 and includes representatives of the following: 

• Commodities Futures Trading Commission 

• Conference of State Bank Supervisors 

• Department of the Treasury 

• Farm Credit Administration 

• Federal Deposit Insurance Corporation 

• Federal Housing Finance Board 

• Federal Reserve Bank of New York 

• Federal Reserve Board 

• National Association of Insurance Commissioners 



31 Department of the Treasury, “Executive Order Amendment of Executive Orders, and Other Actions, in Connection 
with the Transfer of Certain Functions to the Secretary of Homeland Security,” press release, Feb. 8, 2003, at 
http://www.whitehouse.gov/news/releases/2003/02/20030228-8.html. 

32 “Homeland Security Presidential Directive/HSPD-7,” at http://www.whitehouse.gov/news/releases/2003/12/print/ 
20031217-5.html. 

33 Statement by Scott D. Parsons, “Financial Market Preparedness for Wide-Scale Disasters or Disruptions: A Treasury 
Perspective,” before the Subcommittee on Government Management, Finance, and Accountability of the House 
Committee on Government Reform, Sept. 26, 2005, at http://www.treas.gov/press/releases/js2950.htm. 

34 It was the Office of Homeland Security's Financial Markets Work Group. 

33 Financial and Banking Information Infrastructure Committee (FBIIC), at http://www.fbiic.gov. 
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• National Association of State Credit Union Supervisors 

• National Credit Union Administration 

• North American Securities Administrators Association 

• Office of the Comptroller of the Currency 

• Office of Federal Housing Enterprise Oversight 

• Office of Thrift Supervision 

• Securities and Exchange Commission 

• Securities Investor Protection Corporation 

FBIIC conducts vulnerability assessments of the retail payment system, government-sponsored 
enterprises (such as Fannie Mae, Freddie Mac, and the Federal Home Loan Banks), and the 
insurance industry — none directly addressed in the Structural Change report — and other 
improvements to financial resiliency . 36 Treasury has procedures for secure communications 
between federal and state regulators to share information about an event affecting their regulated 
financial institutions . 37 FBIIC has analyzed how to counter “phishing” attacks against financial 
institutions, and how financial institutions recovered from Hurricane Isabel. 3 * It met frequently 
during the events surrounding Katrina . 39 

Public-Private Treasury Efforts 

Treasury has created a public -private partnership to ally with FBIIC, drawing together industry 
initiatives and coordinating private sector outreach for critical infrastructure protection and 
homeland security . 40 Treasury efforts to reduce vulnerabilities include providing alternative lines 
of communication for market participants. The department provides secret physical security 
measures to key financial institutions requesting them . 41 

Treasury has a four-pronged overall approach to promoting continuity in the financial system and 
preventing interruption in case of a catastrophe. The focus first is on people. The second critical 
element is maintaining a high level of confidence in the functioning of the financial system. The 
third element is making sure that markets remain open — or, if they do close, reopen as quickly as 



36 Government officials describe initiatives in U.S. Department of the Treasury. Briefing Book on the Financial and 
Banking Information Infrastructure Committee and U.S. Department of the Treasury Critical Infrastructure Protection 
and Homeland Security Initiatives, Nov. 14, 2002, at http://www.fbiic.gov. 

37 “Treasury Introduces Upgrades Designed to Help Safeguard Financial Service System,’" BNA ’s Banking Report, Dec. 
8, 2003, p. 836. 

3S Published results are found at http://www.treas.gov/offices/domestic-finance/financial-institution/cip. 

39 Statement by Scott D. Parsons, “Financial Market Preparedness for Wide-Scale Disasters or Disruptions: A Treasury 
Perspective,” before the Subcommittee on Government Management, Finance, and Accountability of the House 
Committee on Government Reform, Sept. 26, 2005, at http://www.treas.gov/press/releases/js2950.htm. 

40 Department of the Treasury, “Treasury Names Private Sector Coordinator for Critical Infrastructure Protection 
Partnership Effort,” press release, May 14. 2002, at http://www.treas.gov/press/releases/ 

po3 1 00.htm?IM AGE.X=35\&IM AGE. Y =10. 

41 Ben White, “Terrorism and the Markets: Officials Cite Improved Protections but Lingering Vulnerabilities,” 
Washington Post, Mar. 19, 2003, p. E3. 
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possible. The final element is that resilience requires diversification if the primary place of 
business is nonfunctional. 42 

Treasury has created a Protective Response Planning Program. This program brings together 
federal and local government officials, members of law enforcement and individuals from 
important financial institutions to develop and coordinate emergency responses to major 
disruptions regionally. 43 One such cooperative network, ChicagoFIRST, is a model for similar 
activities around the nation and is described below. 

Department of Justice 

Independent of other efforts, the Department of Justice has developed a set of Suggested Best 
Practices on Computer and In ternet Security for Financial Institutions. 44 The document informs 
financial firms of national resources available to them as well. 



Private Sector Initiatives 

This section summarizes the actions of businesses to improve their ability to survive major 
economic and financial disruptions. It also reports on public-private collaboration. 



FS-ISAC and Payments Networks 

Y2K and other threats to financial companies had been feared for years. Many businesses 
defended their operations through hardware and software tests and upgrades. For example, they 
created the Financial Services-Information Sharing and Analysis Center (FS-ISAC) in 1999. 
Nearly 1,000 banking, securities, insurance, and investment firms participate in FS-ISAC, 
maintaining a database of security threats and system vulnerabilities, which they tie in with the 
previously noted Treasury bodies. 45 Participants privately run FS-ISAC, like ISACs of 14 sectors. 
Observers have credited it with safeguarding more than 1,300 financial institutions worldwide 
from any damage threatened by a computer virus targeted at them known as Bugbear.B. 46 
Treasury awarded FS-ISAC a $2 million contract to upgrade financial institution security and to 
increase its membership. 47 Prominent funds transfer networks and securities exchanges have 
strengthened their continuity plans both independently and in conjunction with FS-ISAC. 48 



42 Kip Betz, “Treasury Official Sees Progress in Crisis Preparedness Efforts,” Daily Report for Executives. Mar. 21, 
2003, p.18. 

42 Department of the Treasury, “Remarks of Michael A. Dawson, Deputy Assistant Secretary for Critical Infrastructure 
Protection and Compliance Policy,” Protecting the Financial Sector from Terrorism and Other Threats, press release, 
Jan. 8, 2004, at http://www.treas.gov/press/releases/jsl091.htm. 

44 At http://www.fbiic.gov/reports/Best_Practices_Network_Security.doc. 

45 “About FS-ISAC,” at http://www.fsisac.com/aboutus.cfm. 

4(1 David Hillis, “Industry Dodged Bugbear.B Virus,” American Banker Online , June 11, 2003. 

47 U.S. Treasury Department “Remarks of Acting Under Secretary of the Treasury for Domestic Finance, Brian 
Roseboro on the Next Generation Financial Services Information Sharing and Analysis Center,” press release, Dec. 9, 
2003, at http://www.treas.gov/press/releases/jsl047.htm. 

4S David Breitkopf, “How Three Payment Networks are Remaking Contingency Plans,” American Banker Online, Feb. 
21, 2003; and “Remarks by Vice Chairman Roger W. Ferguson, Jr. at Geneva, Switzerland, Oct. 3, 2002,” at 
http://www.federalreserve.gov/boarddocs/speeches/2002/20021003/default.htm. 
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Through the private sector Partnership for Critical Infrastructure Security, FS-ISAC meets 
quarterly with sector coordinators for each of the critical national infrastructure sectors. It 
continues to function actively in public -private partnership and outreach modes, including making 
defenses available against phishing criminal cyber activity seeking to steal financial data. 49 

Securities Industry 

The Securities Industry Association (SLA) has released disaster recovery best practices for its 
members. SIA is working with utility companies in New York to improve physical recovery 
measures. Although the September 1 1 terror attacks did not damage its facilities, the New York 
Stock Exchange (NYSE) has developed backup and redundancy facilities. The NYSE and 
NASDAQ have agreed to trade each other’s stocks if either were to become incapacitated. The 
NYSE and National Association of Securities Dealers (NASD) have mandated business 
continuity plans. Measures revealed by the industry require that most securities firms have 
backup sites far from New York, as the Sound Practices paper suggested, and a wired network to 
the stock exchange through Consolidated Edison’s underground pipes. 50 In cooperation with the 
FBIIC, SIA conducted a wide-ranging test of emergency procedures in October 2005 that was 
viewed it as successful. 

Banking Industry 

Extensive regulatory and supervisory procedures apply to banks as businesses. The potential for 
targeted cyber disruption exists even for single banking firms. Organizations such as the Banking 
Industry Technology Secretariat (BITS), the technology arm of the Financial Services Roundtable 
trade group, focus on industry defenses. It is a nonprofit consortium of the largest 100 financial 
institutions in the country dealing with strategic approaches to crisis management and payments 
systems. BITS estimates that bankers collectively spend more than $1 billion annually on cyber 
security. Daily patches are becoming an industry practice. 51 Bankers may purchase insurance 
against liability for loss of customer confidential information through hacking, transmittal of a 
virus to customers from bank website, and denial of access when customers are unable to get to 
information because bank servers are down. 32 

Financial Services Sector Coordinating Council for Critical Infrastructure 
Protection and Homeland Security 

Organizations representing financial entities have created the Financial Services Sector 
Coordinating Council for Critical Infrastructure Protection and Homeland Security, called FSSCC 
for short. It is essentially a private-sector counterpart to FBIIC. Its members, some of whom have 
self-regulatory oversight of their groups, cover most of America’s finance. Its mission is to 
identify opportunities for coordination, improve knowledge and information sharing, and improve 



49 Financial Services Sector Coordinating Council, Protecting the U.S. Critical Infrastructure: 2004 in Review (New 
York: 2005), p. 5. 

50 “After Sept. 11, the U.S. Learned About Its Economic Resilience,” Wall Street Journal , Mar. 16, 2004, p. A15. 

51 Chris Constanzo, “Collaborating to Put Dent into $1B Security Problem,” American Banker Online, Feb. 11, 2004. 

52 Lee Ann Gjertsen, “St. Paul Web-Risk Policy Offers Small-Bank Shield,” American Banker Online, Nov. 7, 2003. 
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public confidence in sectoral recovery from terrorist attacks and other illegal activities. Its 
members are 

• American Bankers Association 

• America’s Community Bankers 

• American Council of Life Insurers 

• American Insurance Association 

• American Society for Industrial Security International 

• Bank Administration Institute 

• Bond Market Association 

• ChicagoFIRST 

• Chicago Mercantile Exchange 

• CLS Group (foreign exchange) 

• (New York) Clearing House 

• Consumer Bankers Association 

• Credit Union National Association 

• Depository Trust and Clearing Corporation 

• Fannie Mae 

• Financial Information Forum 

• Financial Services Information Sharing and Analysis Center 

• Financial Services Roundtable/BITS 

• Financial Services Technology Consortium 

• Futures Industry Association 

• Independent Community Bankers of America 

• Investment Company Institute 

• Managed Funds Association 

• NASDAQ Stock Market, Inc. 

• National Association of Federal Credit Unions 

• National Association of Securities Dealers 

• National Automated Clearinghouse Association 

• New York Board of Trade 

• Options Clearing Corporation 

• Securities Industry Association 

• Securities Industry Automation Corporation 
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• VISA USA Inc. 

FSSCC holds quarterly meetings with FBIIC. 53 

Another example of the multiplicity of connections to strengthen financial industry resiliency is 
ChicagoFIRST, a regional coalition augmenting nationwide information sharing and policy 
initiatives. Formed in 2003 when Chicago’s financial institutions decided that after September 1 1 
they were as vulnerable as those in New York, it includes many members of FSSCC listed above 
and Illinois governments. A limited liability company funded by its for-profit members, it has 
developed defensive capabilities that are recognized as a model for other regional arrangements 
to fortify specific areas. 54 

In the communications arena, FSSCC member organizations have developed contact procedures 
to coordinate industry members and governmental bodies during emergencies, and merged these 
connections into a common database. 



Legislation and Oversight 

This section reports on congressional action in response to disruption to the nation’s economy. 



Post-September 11 Legislation 

Following the attacks of September 1 1, 2001, Congress created DHS by combining all or part of 
22 different agencies. 55 DHS has responsibilities previously assigned to 22 agencies to protect 
communications, transportation, and computer networks. These networks are critical to the 
financial sector’s ability to transform data into useful forms of information such as bank account 
balances, securities prices, orders to buy and sell financial assets, and payments on contractual 
obligations such as loans. 

Congress passed TRIA to backstop terrorism insurance for property-casualty insurers and airlines. 
Other congressional measures, including tax relief for investors and financial integrity initiatives 
increased confidence in the securities markets by 2003. The House approved a bill to give the 
SEC additional authority in a national emergency, on February 26, 2003. The Emergency 
Securities Response Act, H.R. 657, would have allowed the SEC to extend emergency orders 
beyond the 10 business days currently allowed. It also would have expanded the agency’s ability 
to grant exemptions from federal securities laws. Emergency powers could have extended for any 
period specified by the commission up to 90 calendar days. The House had approved a similar 
bill in 200 1 , which the Senate did not take up either. 



53 Financial Services Sector Coordinating Council, Protecting the U.S. Critical Infrastructure, p. 1-65. 

54 U.S. Department of the Treasury, Improving Business Continuity in the Financial Sendees Sector: A Model for 
Starting Regional Coalitions (Washington: 2004), 38 p. 

55 P.L. 107-296 
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Intelligence Reform and Terrorism Prevention Act of 2004 

Beyond anti-terrorist tactics and financing legislative recommendations, the September 1 1 
Commission’s findings led to major financial preparedness legislation. The resulting Intelligence 
Reform and Terrorism Prevention Act of 2004, P.L. 108-458, requires DHS to report on 
vulnerability and risk assessments and the government’s plans to protect infrastructures, including 
financial institutions. 

Treasury is required to report on “the effectiveness and efficiency of efforts to protect the critical 
infrastructure of the United States financial system ....” Treasury is to report on its efforts to 
encourage public -private partnerships to protect critical financial infrastructure. Treasury also has 
authority for government securities market disturbances parallel to the SEC’s authority. 

After consulting with Treasury, the Fed, and the Commodity Futures Trading Commission, the 
SEC is authorized to issue orders and take other emergency actions to address extraordinary 
private securities market disturbances. 

The Fed, the OCC, and the SEC are to report on private sector financial business continuity plans, 
including more financial services entities than are under existing regulation. The agencies 
published their guidance in the Sound Practices noted above. 

The law urges insurance and credit rating companies to consider businesses’ compliance with 
private sector standards in assessing insurability and creditworthiness, to encourage private 
investment in disaster and emergency preparedness. 

The law increases governmental and private emergency preparedness planning. It encourages 
financial businesses smaller than the largest wholesale transacting and clearing entities, the only 
firms now covered by the Sound Practices paper, to undertake emergency preparedness. The 
insurance and credit rating provision reflects concerns over lending and insuring in areas subject 
to flooding and the like, where planning against consequences of disasters is highly relevant. 



Congressional Oversight 

The Government Accountability Office (GAO) has reviewed threat mitigation in financial 
markets and reported its findings to Congress. One study recommended that Treasury coordinate 
with the financial industry to update the sector’s National Strategy for Critical Infrastructure 
Assurance and to improve the process for monitoring its progress. GAO suggested that Treasury 
assess the need for grants, tax incentives, regulation, or other public policy tools. 56 

Another review found deficiencies in the Treasury-Federal Reserve Internet payments system 
known as pay.gov, which seem to have been fixed. 57 

Other recommendations from GAO studies include 



56 U.S. Government Accountability Office, Critical Infrastructure Protection: Efforts of the Financial Sendees Sector 
to Address Cyber Threats, GAO-03-173, Jan. 30, 2003, at http://www.gao.gov. 

57 U.S. Government Accountability Office, Information Security: Computer Controls over Key Treasury Internet 
Payment System, GAO-03-837, July 30, 2003, http://www.gao.gov. 
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• increasing information security controls at Treasury, 58 

• strengthening access controls to the Federal Reserve’s system for Treasury bond 
auctions, 59 and 

• creating an emergency backup system to replace the system for financing the 
government under which the Federal Reserve Bank of New York auctions bonds 
and bills for the Treasury. 60 

Congress examined some of the agency’s findings in a hearing by the House Financial Services 
Subcommittee on Capital Markets, Insurance and Government-Sponsored Enterprises held 
February 12, 2003. 61 GAO found that the Fed, the OCC, and the SEC lacked a strategy for having 
their regulatees resume trading in securities following any disruption of the financial market and 
should work with industry to develop a plan. GAO’s most direct recommendation for actions 
were primarily for the SEC’s operations risk oversight. For bank regulation, GAO noted that 
examiners review physical security, but do not generally focus on terrorism risk mitigation. 



Developing Concerns: Pandemic Flu 

In the past couple of years, the nation has become concerned about the possibility of a pandemic 
flu outbreak. Large scale illness, mass absenteeism, quarantines, and death could disrupt the 
nation’s financial system. Proposals have been made to increase teleworking and alternative work 
locations to contain the spread of the flu. The Department of Health and Human Services is the 
lead agency for government planning. It has created a special website that includes a check list 
for business planning, at http://www.pandemicflu.gov. DHS has held regional meetings around 
the nation to encourage businesses and governments to plan for disruptions. 

The same public and private groups that have worked to develop continuity of operations plans to 
recover after a terrorist attack have also worked together to plan for a pandemic. There is a 
consensus that although a pandemic would cause many of the same problems as a terrorist attack, 
it could be different. A pandemic could be worldwide, but have local concentrations requiring 
unprecedented coordination and communication between financial regulators, the private sector, 
public health officials, school officials, public transportation, mass transit, the communications 
sector and police. 



58 U.S. Government Accountability Office, Improvements Needed in Treasury’s Security Management Program, GAO- 
04-77, Nov. 2003, http://www.gao.gov/new.items/d0477.pdf. 

59 U.S. Government Accountability Office, Information Security: Federcd Resen’e Needs to Address Treasury Auction 
Systems, GAO-06-659, Aug. 30, 2006, at http://www.gao.gov/new.items/d06659.pdf. 

60 U.S. Government Accountability Office, Debt Management: Backup Funding Options Would Enhance Treasury’s 
Resilience to a Financial Market Disruption, GAO-06- 1007, Sept. 2006, at http://www.gao.gov/new.items/ 
d061007.pdf. 

61 U.S. Government Accountability, Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical 
Financial Market Participants, GAO03-25 1 ; Potential Terrorist Attacks: Additional Actions Needed to Better Prepare 
Critical Financial Market Participants, GAO03-414; and Potential Terrorist Attacks: More Actions Needed to Better 
Prepare Critical Financial Markets, GAO03468T, all dated Feb. 12, 2003, through GAO’s website 
http://www.gao.gov. "Recovery and Renewal: Protecting the Capital Markets Against Terrorism," at 
http://financialservices.house.gov/hearings. asp ?formmode=detail&hearing=176. 
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The FSSCC has examined this problem from the perspective of banks and bank regulators, 
including compliance with the new proposed risk-based capital standards known as Basel 11. 62 
Their report emphasizes the need to minimize physical contact among employees, customers, and 
the supply chain, being able to operate with key staff incapacitated, and to have contingency 
plans if suppliers cannot deliver goods and services. 

A joint flu preparedness exercise by FSSCC, Treasury, the Department of Homeland Security, and 
the Securities Industry and Financial Management Association simulate an influenza pandemic 
with absenteeism rates reaching 49%. 63 The goals of the October 2007 exercise were (1) to 
enhance industry understanding of system risks from flu; (2) to provide an opportunity to test 
plans for a flu pandemic; and (3) to study how a flu pandemic would affect the financial structure. 
Over 98% of the 2,550 participating organizations said it helped them in their continuity 
planning. 

A GAO study found that many government agencies would have essential team members 
telecommute during a pandemic, but that very few had tested their plans. 64 

A flu pandemic is not just a concern of the United States. The International Monetary Fund has 
published a report that, in part, addresses the problems that could confront financial institutions. 65 
These include continuity of operations, increased delinquency and default on loans due to illness 
at borrowers’ business and business disruption. The IMF recommended that financial business 
plans for a contagious outbreak, including provisions in case key staff become ill and for working 
from multiple locations. Other suggestions included finding ways for staff to commute without 
mass transit. 



Conclusion: Convergence of Public-Private Practices 
for Financial Continuity 

The private and public sectors have worked together to document and build on the lessons learned 
from the terrorist attacks of September 1 1 and other disruptions. Regulators and special purpose 
groups have monitored the implementation of best practices to the common goal of minimizing 
future disruptions. This has been done by persuasion, regulation, rule, and law. 

Although much of the original impetus was a terrorist attack, the new policies have worked well 
during natural disasters such as hurricanes and have been the basis for planning to mitigate the 
disruption of a flu pandemic. 



62 Patrick McConnell, Banks and Avian Flu: Planning for a Possible Pandemic, undated, at https://www.fsscc.org/ 
influenza/banks_and_avian_flu_planning.pdf. 

63 Financial Banking Information Infrastructure Committee and Financial Services Sector Coordinating Council, 
FBIIC/FSSCC Pandemic Flu Exercise: Media Briefing , October 24, 2007. Available at http://www.treasury.gov/press/ 
releases/reports/panfluhandout.pdf. 

64 Statement of David M. Walker, “Continuity of Operations: Agencies Could Improve Planning for Telework during 
Disruptions,” before the House Committee on Government Reform, May 11, 2006, at http://reform.house.gov/ 
UploadedFiles/GAO%20-%20Walker%20Flu%202006%200pener.pdf. 

65 International Monetary Fund, The Global Economic and Financial Impact of an Avian Flu Pandemic and the Role of 
the IMF, Feb. 28, 2006 at http://www.imf.org/external/pubs/ft/afp/2006/eng/022806.pdf. 
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Appendix. Major Acronyms 

BITS Banking Industry Technology Secretariat 

CFTC Commodity Futures Trading Commission 

DHS Department of Homeland Security 

FBI 1C Financial and Banking Information Infrastructure Committee 
FDIC Federal Deposit Insurance Corporation 

Fed Federal Reserve System 

FS- Financial Services-lnformation Sharing and Analysis Center 

ISAC 

FSSCC Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland 
Security 

GAO Government Accountability Office 

NIAC National Infrastructure Advisory Council 

OCC Office of the Comptroller of the Currency 
PBGC Pension Benefit Guaranty Corporation 

SEC Securities and Exchange Commission 

TRIA Terrorism Risk Insurance Act of 2002 
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